username local-user privilege 15 password 0 P@55w0rd
username MYUSER privilege 15 algorithm-type scrypt secret P@55w0rd
Set the enable secret
enable secret s3cr3t
Save
write mem
Set hostname
hostname SITE-3650
Don't try to look up hostnames
no ip domain lookup
Set up the line settings
line con 0
logging synchronous
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Enable cdp
cdp run
set ntp server
ntp server 172.30.123.1
Set default gateway (L2)
ip default-gateway 172.30.1.1
Set banner
banner login ^
*** MY BANNER ***
^
Enable ip routing (L3 functions)
ip routing
Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249
Set domain name
ip domain-name mydomain.ie
Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048
Setup spanning tree
spanning-tree mode rapid-pvst
Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging
Set up AAA
aaa new-model
!
!
aaa group server radius NPS
server 172.16.50.1 auth-port 1645 acct-port 1646
server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common
Setup SVI on the switch
interface Vlan10
ip address 172.30.10.253 255.255.255.0
ip helper-address 172.16.1.50
Set management interface
interface Loopback100
description SWITCH MGMT
ip address 172.30.100.10 255.255.255.255
Setup so radius can come from the management IP
ip radius source-interface Loopback100
Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY
****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group
aaa group server radius NPS
server name NPS-1
server name NPS-2
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!
Setup your access ports
interface FastEthernet0/1
switchport mode access (set the port as an access port)
switchport access vlan 10 (data vlan for PC)
switchport voice vlan 200 (voice vlan for IP phone)
switchport port-security (turn on port security)
switchport port-security maximum 2 (max 2 MAC's phone and PC)
switchport port-security violation restrict (log and ignore the extra traffic)
spanning-tree portfast (don't wait 60 seconds to bring the port up)
spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
no shutdown (bring the port up)
Setup trunk ports
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
You may have to set tftp source interface
ip tftp source-interface
Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version : running VTP2
Configuration Revision : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs : 30
VTP Operating Mode : Client
VTP Domain Name : MYDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E
This one has ACL applied to SSH
line con 0
session-timeout 15
exec-timeout 0 0
logging synchronous
login authentication CON
history size 256
line vty 0 4
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
length 0
history size 256
transport input ssh
transport output ssh
line vty 5 15
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
history size 256
transport input ssh
transport output ssh
Setup port channel interface if needed
interface Port-channel40
description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 10.00
ip dhcp snooping trust
Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
description *** Link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
end
interface GigabitEthernet2/1/1
description *** link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)
Set the enable secret
enable secret s3cr3t
Save
write mem
Set hostname
hostname SITE-3650
Don't try to look up hostnames
no ip domain lookup
Set up the line settings
line con 0
logging synchronous
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
Enable cdp
cdp run
set ntp server
ntp server 172.30.123.1
Set default gateway (L2)
ip default-gateway 172.30.1.1
Set banner
banner login ^
*** MY BANNER ***
^
Enable ip routing (L3 functions)
ip routing
Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249
Set domain name
ip domain-name mydomain.ie
Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048
Setup spanning tree
spanning-tree mode rapid-pvst
Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging
Set up AAA
aaa new-model
!
!
aaa group server radius NPS
server 172.16.50.1 auth-port 1645 acct-port 1646
server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common
Setup SVI on the switch
interface Vlan10
ip address 172.30.10.253 255.255.255.0
ip helper-address 172.16.1.50
Set management interface
interface Loopback100
description SWITCH MGMT
ip address 172.30.100.10 255.255.255.255
Setup so radius can come from the management IP
ip radius source-interface Loopback100
Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY
****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group
aaa group server radius NPS
server name NPS-1
server name NPS-2
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!
Setup your access ports
interface FastEthernet0/1
switchport mode access (set the port as an access port)
switchport access vlan 10 (data vlan for PC)
switchport voice vlan 200 (voice vlan for IP phone)
switchport port-security (turn on port security)
switchport port-security maximum 2 (max 2 MAC's phone and PC)
switchport port-security violation restrict (log and ignore the extra traffic)
spanning-tree portfast (don't wait 60 seconds to bring the port up)
spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
no shutdown (bring the port up)
Setup trunk ports
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
You may have to set tftp source interface
ip tftp source-interface
Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version : running VTP2
Configuration Revision : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs : 30
VTP Operating Mode : Client
VTP Domain Name : MYDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E
This one has ACL applied to SSH
line con 0
session-timeout 15
exec-timeout 0 0
logging synchronous
login authentication CON
history size 256
line vty 0 4
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
length 0
history size 256
transport input ssh
transport output ssh
line vty 5 15
session-timeout 15
access-class 2 in
exec-timeout 15 0
password 7 0034212757550A045E72
logging synchronous
history size 256
transport input ssh
transport output ssh
Setup port channel interface if needed
interface Port-channel40
description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport nonegotiate
storm-control broadcast level 10.00
ip dhcp snooping trust
Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
description *** Link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
end
interface GigabitEthernet2/1/1
description *** link to core ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust dscp
storm-control broadcast level 10.00
channel-group 40 mode on
ip dhcp snooping trust
Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)
No comments:
Post a Comment